VMware Cloud Director 10.1 | 9 APR 2020 | Build 15967253 (installed build 15967236)
Check for additions and updates to these release notes.
What's in this Document
- What's New in This Release
- Product Support Notices
- Upgrading from Previous Releases
- System Requirements and Installation
- Resolved Issues
- Known Issues
- For information about the new and updated features of this release, see the VMware Technical White Paper What’s New with VMware vCloud Director 10.1.
- Changed behavior in the HTML5 UI:
In earlier VMware Cloud Director versions, you can use the vApp action menu in the HTML UI to stop or to power off a vApp. Both power operations undeploy the vApp, but affect the vApp differently. The Power Off operation does not follow the Start and Stop Order settings for the virtual machines in the vApp. The Power Off operation also undeploys any vApp networks by disconnecting all VM NICs from organization VDC networks and by removing any edge gateways deployed for the vApp.
Starting with VMware Cloud Director 10.1, performing the Power Off operation on a running vApp results in powering off all the virtual machines in the vApp without undeploying the vApp and the virtual machines in it. The NICs of the virtual machines remain connected to the respective networks and any vApp edge gateways remain deployed. The vApp and the virtual machines in the vApp remain deployed. The Power Off action for each of the individual virtual machines in the vApp remains active and you can use it to power off a virtual machine. This action results in the undeployment of this virtual machine.
When you power off a vApp, the Power Off operation follows the start order that you defined in the Start and Stop Order settings. As a result, virtual machines are powered off in reverse order to how you configured them for startup. The Stop Wait setting is not applied during the Power Off operation. When you power off a vApp, the power state of the vApp, which is derived from the power states of the virtual machines in it, displays as Powered Off.
- WARNING: After upgrading to version 10.1, VMware Cloud Director will always verify certificates for any infrastructure endpoints connected to it. This is due to a change in the way VMware Cloud Director manages SSL certificates. If you do not import your certificates into VMware Cloud Director before the upgrade, the vCenter Server and NSX connections might show failed connection errors due to SSL verification issues. In this case, after upgrading, you have two options:
- Run the cell management tool
trust-infra-certscommand to automatically connect and retrieve certificates of all infrastructure endpoints for vCenter Server and NSX Manager instances into the centralized certificate store. See Import Endpoints Certificates from vSphere Resources.
- In the Service Provider Admin Portal UI, select each vCenter Server and NSX instance, and reenter the credentials while accepting the certificate.
- Run the cell management tool
- Starting with version 10.1, service providers and tenants can use the VMware Cloud Director API to test connections to remote servers and to verify server identity as part of an SSL handshake. To protect VMware Cloud Director network connections, configure a blacklist of internal hosts that are unreachable to tenants who are using the VMware Cloud Director API for connection testing. Configure the blacklist after а VMware Cloud Director installation or upgrade and before granting tenants access to VMware Cloud Director. See Configure a Test Connection Blacklist.
VMware Cloud Director 10.1 deprecates the behavior to trust all SSL certificates. In this release, vCenter Server and NSX connections do not support this option. For all other connections, trusting all certificates is also deprecated and will become unsupported after VMware Cloud Director 10.1. System Administrators must prepare for this transition.
- If you use the LDAP for your VMware Cloud Director system organization, you can use the trust-on-first-use dialog in the UI or upload certificates by using the API.
- Аudit all uses of this option and supply appropriate certificates by using the UI or the API.
- Communicate the changes to the tenants. All tenants that are using custom LDAP with enabled Accept all certificates option must transition away from this configuration. Tenants can either use the trust-on-first-use dialog in the UI or upload certificates through the API.
Updated Open Source Packages
jackson-databindto version 220.127.116.11.
jreto version 1.8.0u231.
opensslto version 1.0.2u.
xstreamto version 18.104.22.168.
VMware Cloud Director 10.1 does not support vSphere 7.0 and NSX-T 3.0. The interoperability certification is in progress and vSphere 7.0 and NSX-T 3.0 will be supported in a minor patch release of VMware Cloud Director 10.1.
End of Life and End of Support Warnings
- SQL Server database is no longer supported. Only the PostgreSQL database is supported.
- Oracle Linux is no longer supported as the host operating system to install the VMware Cloud Director application.
- VMware Cloud Director API version 29 and below are not supported.
- VMware Cloud Director API version 30.0 is deprecated and will become unsupported after VMware Cloud Director 10.1
- VMware Cloud Director API version 31.0 is deprecated.
- The Flex-based UI has been removed from the product and is no longer supported.
/api/sessionsAPI login endpoint was deprecated in VMware Cloud Director API version 33.0/VMware Cloud Director 10.0 and will be unsupported in a future VMware Cloud Director release. You can use the separate VMware Cloud Director OpenAPI login endpoints for the service provider and tenant access to VMware Cloud Director.
- The API
/cloud/server_statusis deprecated for both HTTP and HTTPS protocols and will be removed in a future release. You must use the
/api/server_statusfor both HTTP and HTTPS protocols.
- The reset actions
/ldap/action/resetLdapKeyStoreare removed from VMware Cloud Director API Version 34.0 due to the way VMware Cloud Director 10.1 stores and handles SSL certificates. You must use
the /cloudapi/1.0.0/ssl/trustedCertificatesendpoint to untrust certificates.
- The update actions
/ldap/action/updateLdapKeyStoreare deprecated and will not be supported in future releases. VMware Cloud Director introduces a new endpoint for trusting of LDAP certificates
- vSphere deprecates the vSphere SSO as a SAML IDP. All VMware Cloud Director deployments configured to use vSphere SSO as their SAML IDP must migrate to a different external SAML IDP. The use of this IDP will not be supported in future vSphere and VMware Cloud Director releases.
- DSA and DSS certificates are no longer supported because no recommended cipher suites are available for them.
Upcoming End of Support Notice
- VMware Cloud Director API 34.0 (VMware Cloud Director 10.1) contains APIs that are under accelerated deprecation and will be removed in future releases. See VMware Cloud Director API Programming Guide.
For more information on upgrading to VMware Cloud Director 10.1, upgrade and migration paths and workflows, see Upgrading and Migrating the VMware Cloud Director Appliance or Upgrading vCloud Director on Linux.
Ports and Protocols
For information on the network ports and protocols used by VMware Cloud Director 10.1, see VMware Ports and Protocols.
See the VMware Product Interoperability Matrixes for current information about:
- VMware Cloud Director interoperability with other VMware platforms
- Supported VMware Cloud Director databases
Supported VMware Cloud Director Server Operating Systems
- CentOS 6
- CentOS 7
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
Supported AMQP Servers
VMware Cloud Director uses AMQP to provide the message bus used by extension services, object extensions, and notifications. This release of VMware Cloud Director requires RabbitMQ version 3.7.9 or 3.8.2
For more information, see the VMware Cloud Director Installation, Configuration, and Upgrade Guide.
Supported Databases for Storing Historic Metric Data
You can configure your VMware Cloud Director installation to store metrics that VMware Cloud Director collects about virtual machine performance and resource consumption. Data for historic metrics is stored in a Cassandra database. VMware Cloud Director supports Cassandra versions 3.x.
For more information, see the VMware Cloud Director Installation, Configuration, and Upgrade Guide.
Disk Space Requirements
Each VMware Cloud Director server requires approximately 2100MB of free space for the installation and log files.
Please consult VMware Cloud Director Installation, Configuration, and Upgrade Guide for memory requirements
VMware Cloud Director is a CPU-bound application. CPU over-commitment guidelines for the appropriate version of vSphere should be followed. In virtualized environments, regardless of the number of cores available to VMware Cloud Director, there must be a sensible vCPU to physical CPU ratio, that does not result in extreme over-committing.
Required Linux Software Packages
Each VMware Cloud Director server must include installations of several common Linux software packages. These packages are typically installed by default with the operating system software. If any of the packages are missing, the installer fails with a diagnostic message.
alsa-lib bash chkconfig coreutils findutils glibc grep initscripts krb5-libs libgcc
libICE libSM libstdc++ libX11 libXau libXdmcp libXext libXi libXt libXtst
module-init-tools net-tools pciutils procps redhat-lsb sed tar wget which
In addition to the installer required packages, several procedures for configuring the network connections and creating SSL certificates require the use of the Linux
nslookup command, which is available in the Linux bind-utils package.
Supported LDAP Servers
You can import users and groups to VMware Cloud Director from the following LDAP services.
|Platform||LDAP Service||Authentication Methods|
|Windows Server 2012||Active Directory||Simple, Simple SSL|
|Windows Server 2016||Active Directory||Simple, Simple SSL|
|Linux||OpenLDAP||Simple, Simple SSL|
Supported Security Protocols and Cipher Suites
VMware Cloud Director requires the client connections to be secure. SSL version 3 and TLS version 1.0 and 1.1 have been found to have serious security vulnerabilities and are no longer included in the default set of protocols that the server offers to use when making a client connection. System administrators can enable more protocols and cipher suites. See the Cell Management Tool section in the VMware Cloud Director Installation, Configuration, and Upgrade Guide. The following security protocols are supported:
- TLS version 1.2
- TLS version 1.1 (disabled by default)
- TLS version 1.0 (disabled by default)
Supported cipher suites enabled by default:
System administrators can use the cell management tool to explicitly enable other supported cipher suites that are disabled by default.
Note: Interoperation with releases of vCenter Server earlier than 5.5-update-3e and versions of
ovftool earlier than 4.2 require VMware Cloud Director to support TLS version 1.0. You can use the cell management tool to reconfigure the set of supported SSL protocols or ciphers. See the Cell Management Tool section in the VMware Cloud Director Installation, Configuration, and Upgrade Guide.
VMware Cloud Director is compatible with the current major and previous major release of the following browsers:
- Google Chrome
- Mozilla Firefox
- Microsoft Edge
- Microsoft Internet Explorer 11
Supported Guest Operating Systems and Virtual Hardware Versions
VMware Cloud Director supports all guest operating systems and virtual hardware versions supported by the ESXi hosts that back each resource pool.
VMware Cloud Director WebMKS 2.1.1
The VMware Cloud Director WebMKS 2.1.1 console adds support for:
- the PrintScreen key in Google Chrome and in Mozilla Firefox for Windows.
- the Windows key in Windows and macOS. To simulate pressing the Windows key, press Ctrl+Windows in Windows OS, or Ctrl+Command in macOS.
- Automatic keyboard layout detection in Google Chrome and Mozilla Firefox.
- When you associate two VMware Cloud Director appliance sites, objects are not visible across the sites
If you make a site association and your sites have objects like organizations, organization VDCs, vApps, VMs, you cannot see the objects from the current site. The HTML 5 UI displays only the objects from the other associated site. The issue occurs during multisite fanout communication because the
/etc/hostsfile of the VMware Cloud Director appliance does not have correct contents.
- Updating a VM sizing policy fails with a memory allocation error
If you convert an allocation-pool VDC to a flex organization VDC, vCloud Director keeps the maximum policy information from the allocation-pool VDC before the conversion. CPU or memory reservation guarantees higher than the reservations defined in the allocation-pool VDC fail with a
Virtual machine reservation or limit or shares settings are invaliderror.
- Quiescing or pausing the primary cell in a multi-cell environment does not restart the periodical tasks on the secondary cell
In a multi-cell environment, when you quiesce or pause the primary cell, the periodical tasks that are running in the background of the primary cell are not started from the secondary cell.
- Cloning a VM on a host-based storage policy with enabled data services to a VM with different host-based storage policy fails with an error
If you create a VM that is on a storage policy that has host-based rules like IOPS or VM Encryption enabled, trying to clone the VM and change the storage policy of the target VM fails with an error
Changing or applying VM Storage Policies with Data Service capabilities during clone operations is disallowed. VM Storage Policies with Data Service capabilities can be assigned to the provisioned VM after the clone operation has been completed and before the VM has been powered on.
- The global tenant role vApp Author can upload and create templates and media without having the necessary right for these operations
The global tenant role vApp Author by default has the
Add a vApp from My Cloudright. Because this right and the
Template/Media: Create/Uploadright share a single operation, VMware Cloud Director incorrectly grants also the
Template/Media: Create/Uploadright to the vApp Author role.
The issue is fixed. If you want the vApp Author role to continue to have the
Template/Media: Create/Uploadright, a service provider can add the right to the vApp Author Global Role and publish it to an organization.
- Newly created virtual machines are deployed on the organization VDC default storage policy
In the vCloud Director Tenant Portal, when you create a new standalone virtual machine, the option to specify the storage policy is missing. As a result the created virtual machine is deployed with the default storage policy of the organization VDC.
- New The VMware Cloud Director appliance deployment fails when you enable the setting to expire the root password upon the first login
If you attempt to deploy an appliance with enabled Expire Root Password Upon First Login setting, the deployment fails and the
/opt/vmware/var/log/firstbootlog file displays an error:
[ERROR] postgresauth script failed to execute.
Workaround: Disable the Expire Root Password Upon First Login setting and specify an initial root password that contains at least eight characters, one uppercase character, one lowercase character, one numeric digit, and one special character.
- New When a vApp User attempts to create a vApp from a template, this might result in "Operation is denied" message
If your assigned user role is vApp User, when you attempt to create a vApp from a template and you customize the VM sizing policies for the virtual machines in the vApp, this results in "Operation is denied" message. This happens because the vApp User role allows you to instantiate vApps from templates, but it does not include rights that allow you to customize a virtual machine's memory, CPU or hard disk. By changing the sizing policy, you could be changing the virtual machine memory or CPU.
- New NFS downtime can cause VMware Cloud Director appliance cluster functionalities to malfunction
If the NFS is unavailable due to the NFS share being full, becoming read only, and so on, can cause appliance cluster functionalities to malfunction. HTML5 UI is unresponsive while the NFS is down or cannot be reached. Other functionalities that might be affected are the fencing out of a failed primary cell, switchover, promoting a standby cell, and so on. For more information about setting up correctly the NFS shared storage, see Preparing the Transfer Server Storage for the VMware Cloud Director Appliance.
- Fix the NFS state so that it is not
- Clean up the NFS share if it is full.
- Fix the NFS state so that it is not
- New Trusting an endpoint while adding vCenter Server and NSX Resources in a multisite environment does not add the endpoint to the centralized certificate storage area
In a multisite environment, while using the HTML5 UI, if you are logged in to a vCloud Director 10.0 site or trying to register a vCenter Server instance to a vCloud Director 10.0 site, VMware Cloud Director will not add the endpoint to the centralized certificate storage area.
- Import the certificate into the VMware Cloud Director 10.1 site by using the API.
- To trigger the certificate management functionality, navigate to the SP Admin Portal of the VMware Cloud Director 10.1 site, go to the Edit dialog of the service, and click Save.
- New Trying to encrypt named disks in vCenter Server version 6.5 or earlier fails with an error
For vCenter Server instances version 6.5 or earlier, if you try to associate new or existing named disks with an encryption enabled policy, the operation fails with a
Named disk encryption is not supported in this version of vCenter Server.error.
- New In a multisite mixed environment with VMware Cloud Director versions 10.0 and 10.1, trusting the certificates for vCenter Server and NSX connections works only for the objects from the local site
If you have a multisite environment with VMware Cloud Director versions 10.0 and 10.1 associated with each other, when you log in to one of the sites, you cannot register vCenter Server or NSX Manager instances on the other site.
Workaround: Log into the site in which you want to register the vCenter Server or NSX Manager instance and start the registration process.
- New In the VMware Cloud Director Tenant Portal, you cannot filter VMs by data center from the advanced filtering option for virtual machines under the Applications tab
In the VMware Cloud Director Tenant Portal, when you navigate to Virtual Machines under the Applications tab in the top navigation bar, filtering the virtual machines by data center from the advanced filtering option results in an error
Bad request: Unknown property name vdcName.
Workaround: From the top navigation bar, select Data Centers and select a data center to view the virtual machines in it.
- New Extension services cannot process RabbitMQ messages from VMware Cloud Director
Extension services that rely on RabbitMQ cannot get the header
notification.typefrom a message because the header has a new temporary name. The header name for VMware Cloud Director 10.1.0 is
Workaround: If your extension services process RabbitMQ messages from VMware Cloud Director and use the
notification.typemessage header, you must change them. If the notification.type header is not available, extension services must get the value from the header
notification.operationType. This change is needed only for version 10.1.0.
- In the VMware Cloud Director Service Provider Admin Portal, deleting an organization virtual data center fails with an error
In the VMware Cloud Director Service Provider Admin Portal, if you add an edge gateway to your organization VDC and enable the gateway to provide VMware Cloud Director Distributed Routing, trying to delete the organization VDC recursively fails with a
Cannot delete organization VDC networkerror message.
- By using API, delete the organization VDC networks and the edge gateways associated with the organization VDC.
- By using API, delete the organization VDC.
- If you disable the provider access to the legacy API login endpoint, all API integrations that rely on the system administrator login stop working, including vCloud Usage Meter and vCloud Availability for VMware Cloud Director
Starting with vCloud Director 10.0, you can use separate VMware Cloud Director OpenAPI login endpoints for service provider and tenant access to VMware Cloud Director. If the service provider access to the legacy
/api/sessionsendpoint is disabled, it causes products that integrate with VMware Cloud Director, like vCloud Usage Meter and vCloud Availability for VMware Cloud Director, to stop working. These products will require a patch to continue to operate.
The issue affects only system administrators. The tenant login is not affected.
Workaround: Re-enable the service provider access to the legacy
/api/sessionsendpoint by using the cell management tool.
- When you change the reservation guarantee values of a VDC, the existing VMs are not updated accordingly even after a reboot
If you have a flex organization VDC with the system default policy and powered-on virtual machines on that VDC are with the default sizing policy, when you increase the resource guarantee value of the VDC, the resource reservation for the existing VMs is not updated and they are also not marked as non-compliant. The issue occurs also when you convert a legacy VDC allocation model to a flex allocation model and the existing VMs become non-compliant with the new default policy of the flex organization VDC after the conversion.
- To display the non-compliant VMs in the vCloud Director UI, perform an explicit compliance check against the VMs by using the VMware Cloud Director API.
- To reapply the policy and reconfigure the resource reservations, in the vCloud Director Tenant Portal, click Make VM Compliant for a non-compliant VM.
- VMware Cloud Director displays incorrect information about running and total VMs and CPU and memory stats in dedicated vCenter Server instances
If a dedicated vCenter Server is version 6.0 U3i or earlier, 6.5U2 or earlier, or 6.7U1 or earlier, VMware Cloud Director displays incorrect information about running VMs, total VMs, and CPU and memory statistical information in the vCenter Server instance. The dedicated vCenter Server tile in the Tenant Portal and the dedicated vCenter Server information in the Service Provider Admin Portal display zero for both running and total VMs, even when there are virtual machines in the vSphere environment.
Workaround: Upgrade the vCenter Server instance to version 6.0 U3j, 6.5U3, 6.7U2 or later.
- Changing the compute policy of a powered on VM might fail
When trying to change the compute policy of a powered on VM, if the new compute policy is associated with a provider VDC compute policy that has VM Groups or Logical VM Groups, an error occurs. The error message contains:
Underlying system error: com.vmware.vim.binding.vim.fault.VmHostAffinityRuleViolation.
Workaround: Power off the VM, and retry the operation.
- When using the VMware Cloud Director Service Provider Admin Portal with Firefox, you cannot load the tenant networking screens
If you are using the VMware Cloud Director Service Provider Admin Portal with Firefox, the tenant networking screens, for example, the Manage Firewall screen for an organization virtual data center, might fail to load. This issue happens if your Firefox browser is configured to block Third-Party cookies.
Workaround: Configure your Firefox browser to allow third-party cookies.
- VMware Cloud Director 10.1 supports only a list of input parameters of vRealize Orchestrator workflows
VMware Cloud Director 10.1 supports the following input parameters of vRealize Orchestrator workflows:
- A fast-provisioned virtual machine created on a VMware vSphere Storage APIs Array Integration (VAAI) enabled NFS array, or vSphere Virtual Volumes (VVols) cannot be consolidated
In-place consolidation of a fast provisioned virtual machine is not supported when a native snapshot is used. Native snapshots are always used by VAAI-enabled datastores, as well as by VVols. When a fast-provisioned virtual machine is deployed to one of these storage containers, that virtual machine cannot be consolidated .
Workaround: Do not enable fast provisioning for an organization VDC that uses VAAI-enabled NFS or VVols. To consolidate a virtual machine with a snapshot on a VAAI or a VVol datastore, relocate the virtual machine to a different storage container.